[MDEV-9069] extend AES_ENCRYPT() and AES_DECRYPT() to support IV and the algorithm - Jira

Details

Type: Task
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 11.2.1
Component/s: Encryption
Labels:

Sprint:
10.3.3-1

Description

extend AES_ENCRYPT() and AES_DECRYPT() to support IV and the algorithm. Something like

AES_ENCRYPT(text, key, [IV [, algorithm]])

and @@block_encryption_mode variable as in 5.7

NOTE:

change in behavior: AES_ENCRYPT(str, key) can no longer be used in persistent virtual columns (and alike)
New system variable block_encryption_mode

Attachments

Issue Links

blocks

MDEV-11476 AES_ENCRYPT/DECRYPT: Improper key sizes aren't handled correctly

Open

causes

MDEV-31633 Assertion `!item->null_value' failed in Type_handler::Item_send_str

Closed

is blocked by

MDEV-10332 Server 10.2: Add support for OpenSSL 1.1

Closed

is duplicated by

MDEV-28721 Initialization vector for AES_{EN,DE}CRYPT

Closed

is part of

MDEV-28906 MySQL 8.0 desired compatibility

Open

relates to

MDEV-31474 KDF() function

Closed

MDEV-33659 Server crashed at Create_func_aes_decrypt::create_native

Closed

links to

CVE-2022-21592

(2 relates to, 1 links to)

Activity

Ascending order - Click to sort in descending order

Georg Richter added a comment - 2016-12-15 17:41

Current GCM implementation seems to be buggy - rfc test vectors for GCM partially fail - it will need some more investigation.

Georg Richter added a comment - 2016-12-15 17:41 Current GCM implementation seems to be buggy - rfc test vectors for GCM partially fail - it will need some more investigation.

Juan Lago added a comment - 2021-05-20 10:00

Is it this feature going to be implemented some day?

IV is mostly a common practice in the industry for encryption with AES-256-CBC cipher.

It makes also hard to migrate from MySQL to MariaDB due the lack of this function.

Juan Lago added a comment - 2021-05-20 10:00 Is it this feature going to be implemented some day? IV is mostly a common practice in the industry for encryption with AES-256-CBC cipher. It makes also hard to migrate from MySQL to MariaDB due the lack of this function.

Sergei Golubchik added a comment - 2021-05-21 15:14

yes

Sergei Golubchik added a comment - 2021-05-21 15:14 yes

Philipp Grafe added a comment - 2021-07-08 10:44

Is there already a new time schedule or version? We are also eagerly waiting for this.

Philipp Grafe added a comment - 2021-07-08 10:44 Is there already a new time schedule or version? We are also eagerly waiting for this.

Sergei Golubchik added a comment - 2022-12-12 23:12 - edited

MySQL implements

AES_ENCRYPT(str, key_str [,init_vector [,kdf_name [,salt [,info | iterations]]]])

with 6 positional arguments this is, I think, way out of comfort usage zone. And it does not allow to specify the mode, it has to be specified via block_encryption_mode variable. I would rather suggest

AES_ENCRYPT(str, key [,iv] [USING mode])

2- and 3-argument syntax is compatible with MySQL. Encryption mode is specified via a keyword, so it won't cause ambiguities if we'll later want to add full MySQL compatibility syntax.
But I think it'd be more user-friendly to add a separate function, say,

KDF(key_str [, kdf_name [, salt [, info | iterations]]])

which is not part of this task

Sergei Golubchik added a comment - 2022-12-12 23:12 - edited MySQL implements AES_ENCRYPT(str, key_str [,init_vector [,kdf_name [,salt [,info | iterations]]]]) with 6 positional arguments this is, I think, way out of comfort usage zone. And it does not allow to specify the mode, it has to be specified via block_encryption_mode variable . I would rather suggest AES_ENCRYPT(str, key [,iv] [USING mode]) 2- and 3-argument syntax is compatible with MySQL. Encryption mode is specified via a keyword, so it won't cause ambiguities if we'll later want to add full MySQL compatibility syntax. But I think it'd be more user-friendly to add a separate function, say, KDF(key_str [, kdf_name [, salt [, info | iterations]]]) which is not part of this task

Sergei Golubchik added a comment - 2023-06-13 08:27 - edited

On the other hand, the syntax without a keyword will make it a normal function with no special rules in the parser. And the server will still be able avoid ambiguities because kdf values differ from mode values.

Sergei Golubchik added a comment - 2023-06-13 08:27 - edited On the other hand, the syntax without a keyword will make it a normal function with no special rules in the parser. And the server will still be able avoid ambiguities because kdf values differ from mode values.

Lena Startseva added a comment - 2023-07-25 06:07

Ok to push

Lena Startseva added a comment - 2023-07-25 06:07 Ok to push

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 15 Vote for this issue

Watchers:: 20 Start watching this issue

Dates

Created:: 2015-11-02 19:26

Updated:: 2024-07-08 01:11

Resolved:: 2023-08-02 13:52

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server